RADIUSdesk

logo
Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
technical:openvpn-bridges-prep-openvpn [2023/10/21 05:35]
admin [Prepare /etc/openvpn/up.sh] 		technical:openvpn-bridges-prep-openvpn [2024/01/11 13:24] (current)
admin [OpenVPN server config for br0.103]
Line 9: Line 9:
         * We are not going to use encryption of the tunnel.         * We are not going to use encryption of the tunnel.
         * We are not going to use the PKI.         * We are not going to use the PKI.
-        * We are compressing the data.+        * We are not compressing the data.
         * We are using a username and password given by the client and pass it onto a script to verify if the client is valid.         * We are using a username and password given by the client and pass it onto a script to verify if the client is valid.
   * Remove /etc/openvpn/server.conf   * Remove /etc/openvpn/server.conf
Line 17: Line 17:
 ===== OpenVPN server config for br0.101 ===== ===== OpenVPN server config for br0.101 =====
   * Create a file called **/etc/openvpn/server_vlan_101.conf**.   * Create a file called **/etc/openvpn/server_vlan_101.conf**.
-  * Be sure to check the correct value for eth0.101. It might be eth1.101 with your config. (up “/etc/openvpn/up.sh br0.101 eth1.101”)+  * Be sure to check the correct value for eth1.101. It might be eth0.101 with your config. (up “/etc/openvpn/up.sh br0.101 eth0.101”)
 <file bash server_vlan_101.conf> <file bash server_vlan_101.conf>
 mode server mode server
- +
 auth none auth none
-cipher none +
- +
 tmp-dir /dev/shm tmp-dir /dev/shm
- +
 auth-user-pass-verify "/etc/openvpn/openvpn_auth.pl" via-file auth-user-pass-verify "/etc/openvpn/openvpn_auth.pl" via-file
 verify-client-cert none verify-client-cert none
 username-as-common-name username-as-common-name
 script-security 2 script-security 2
-  + 
-local 198.27.111.78+local 178.1.1.20
 port 1194 port 1194
 proto udp proto udp
Line 39: Line 38:
 key server.key  # This file should be kept secret key server.key  # This file should be kept secret
 dh dh.pem dh dh.pem
-  + 
-up "/etc/openvpn/up.sh br0.101 eth0.101"+up "/etc/openvpn/up.sh br0.101 eth1.101"
 server-bridge 10.101.0.1 255.255.0.0 10.101.0.2 10.101.0.100 server-bridge 10.101.0.1 255.255.0.0 10.101.0.2 10.101.0.100
- +
 ifconfig-pool-persist ipp.txt ifconfig-pool-persist ipp.txt
 ;client-config-dir ccd ;client-config-dir ccd
 keepalive 10 120 keepalive 10 120
-comp-lzo 
 persist-key persist-key
 persist-tun persist-tun
 status openvpn-status.log status openvpn-status.log
 verb 4 verb 4
 +allow-compression no
 +data-ciphers none
 +cipher none
 </file> </file>
  
Line 60: Line 61:
    
 auth none auth none
-cipher none 
    
 tmp-dir /dev/shm tmp-dir /dev/shm
Line 69: Line 69:
 script-security 2 script-security 2
    
-local 198.27.111.78+local 178.1.1.20
 port 1195 port 1195
 proto udp proto udp
Line 78: Line 78:
 dh dh.pem dh dh.pem
    
-up "/etc/openvpn/up.sh br0.102 eth0.102"+up "/etc/openvpn/up.sh br0.102 eth1.102"
 server-bridge 10.102.0.1 255.255.0.0 10.102.0.2 10.102.0.100 server-bridge 10.102.0.1 255.255.0.0 10.102.0.2 10.102.0.100
    
Line 84: Line 84:
 ;client-config-dir ccd ;client-config-dir ccd
 keepalive 10 120 keepalive 10 120
-comp-lzo 
 persist-key persist-key
 persist-tun persist-tun
 status openvpn-status.log status openvpn-status.log
 verb 4 verb 4
 +allow-compression no
 +data-ciphers none
 +cipher none
 </file> </file>
  
Line 98: Line 100:
    
 auth none auth none
-cipher none 
    
 tmp-dir /dev/shm tmp-dir /dev/shm
Line 107: Line 108:
 script-security 2 script-security 2
    
-local 198.27.111.78+local 178.1.1.20
 port 1196 port 1196
 proto udp proto udp
Line 116: Line 117:
 dh dh.pem dh dh.pem
    
-up "/etc/openvpn/up.sh br0.103 eth0.103"+up "/etc/openvpn/up.sh br0.103 eth1.103"
 server-bridge 10.103.0.1 255.255.0.0 10.103.0.2 10.103.0.100 server-bridge 10.103.0.1 255.255.0.0 10.103.0.2 10.103.0.100
    
Line 122: Line 123:
 ;client-config-dir ccd ;client-config-dir ccd
 keepalive 10 120 keepalive 10 120
-comp-lzo 
 persist-key persist-key
 persist-tun persist-tun
 status openvpn-status.log status openvpn-status.log
 verb 4 verb 4
 +allow-compression no
 +data-ciphers none
 +cipher none
 </file> </file>
 ===== Prepare /etc/openvpn/up.sh ===== ===== Prepare /etc/openvpn/up.sh =====
Line 156: Line 159:
   * The **openvpn_auth.pl** script can then be copied to the server running the OpenVPN server.   * The **openvpn_auth.pl** script can then be copied to the server running the OpenVPN server.
   * You just have to configure the **openvpn_auth.pl** script to point to your RADIUSdesk server to do the API calls when authenticating a client.   * You just have to configure the **openvpn_auth.pl** script to point to your RADIUSdesk server to do the API calls when authenticating a client.
-  * The **openvpn_auth.pl** script is traditionally under **/usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/**. +  * The **openvpn_auth.pl** script is traditionally under **/var/www/rdcore/cake4/rd_cake/setup/scripts/**. 
-  * Copy this file to a convenient location on the OpenVPN server and edit the following to point to your RADIUSdesk server.+  * Copy this file to **/etc/openvpn/** on the OpenVPN server and edit the following to point to your RADIUSdesk server.
 <code bash> <code bash>
 my $protocol='http'; my $protocol='http';
 my $server_name_or_ip='198.27.111.78'; my $server_name_or_ip='198.27.111.78';
-my $api_path="/cake2/rd_cake/openvpn_servers/auth_client.json";+my $api_path="/cake4/rd_cake/openvpn-servers/auth-client.json";
 </code> </code>
   * Make sure this file is executable in its new location:   * Make sure this file is executable in its new location:
 <code bash> <code bash>
-sudo chmod 755 /home/system/openvpn_auth.pl+sudo chmod 755 /etc/openvpn/openvpn_auth.pl
 </code> </code>
-===== Restart OpenVPN service ===== +  Make sure the Perl modules that are used by this script are installed.
-  Restart the OpenVPN service.+
 <code bash> <code bash>
-sudo service openvpn stop +sudo apt-get install liblwp-protocol-https-perl 
-sudo service openvpn start +</code> 
-#You should now see the following +===== Test Start OpenVPN service ===== 
-Starting virtual private network daemon(s)...  +  * Be aware that the **systemctl start openvpn** is not starting your openvpn you just defined. 
-Autostarting VPN 'server_vlan_101' +  * Openvpn uses templatized systemd jobs, openvpn@CONFIGFILENAME. 
-Autostarting VPN 'server_vlan_102' +  * So if for example your configuration file is myserver.conf your service is called openvpn@myserver. 
-Autostarting VPN 'server_vlan_103'  +  You can run all kinds of service and systemctl commands like start/stop/enable/disable/preset against a templatized service like openvpn@server. 
 +  With that in view you can tests start the individual servers based on their config files
 +<code bash> 
 +#start 101 
 +sudo systemctl start openvpn@server_vlan_101 
 +#check the output for any errors 
 +journalctl -xeu openvpn@server_vlan_101.service 
 +#start 102 
 +sudo systemctl start openvpn@server_vlan_102 
 +#check the output for any errors 
 +journalctl -xeu openvpn@server_vlan_102.service 
 +#start 103 
 +sudo systemctl start openvpn@server_vlan_103 
 +#check the output for any errors 
 +journalctl -xeu openvpn@server_vlan_103.service
 </code> </code>
 ===== Check the bridges ===== ===== Check the bridges =====
Line 190: Line 206:
  tap2  tap2
 </code> </code>
 +===== Install ifconfig =====
 +  * Although ifconfig does not come standard with recent versions of Ubuntu and we try to use the replacement **ip** command where possible, we will install ifconfig to help here.
 +  * It is also required during the next section when we work with CoovaChilli.
 +<code bash>
 +sudo apt install net-tools
 +</code>
 +==== Test ifconfig ====
   * ifconfig should also include a list of three tap interfaces   * ifconfig should also include a list of three tap interfaces
 <code bash> <code bash>
Line 216: Line 239:
           RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)           RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
 </code> </code>
-<WRAP center round tip 90%> + 
-  * If your server has only **one** interface card, be sure to add the following line to the **/etc/rc.local** file to ensure OpenVPN is only started up after the bridges have been set up.+===== OpenVPN Startup ===== 
 +  * Since we use our own startup script to prepare the environment we will disable the normal startup sequience of OpenVPN. 
 +  We will start it up **after** our environment has been prepared. 
 +  * Disable the startup of OpenVPN 
 +<code bash> 
 +sudo systemctl disable openvpn 
 +</code> 
 +  * Add the following lines to the **/etc/rc.local** file to ensure OpenVPN starts up **after** the bridges have been set up.
 <code bash> <code bash>
-/sbin/brctl addif br0.103 eth1.103 
 /sbin/ip addr add 10.103.0.1/16 dev br0.103 /sbin/ip addr add 10.103.0.1/16 dev br0.103
 /sbin/ip link set dev br0.103 up /sbin/ip link set dev br0.103 up
- +
 #Add the startup of OpenVPN #Add the startup of OpenVPN
-/usr/sbin/service openvpn start +systemctl start openvpn@server_vlan_101 
- +systemctl start openvpn@server_vlan_102 
 +systemctl start openvpn@server_vlan_103 
 exit 0 exit 0
 </code> </code>
-</WRAP>+
   * We are making good progress. Next we will install and configure **Coova Chilli** so that it runs an instance on each VLAN.   * We are making good progress. Next we will install and configure **Coova Chilli** so that it runs an instance on each VLAN.
   * To confirm everything will come up after a power cycle, go ahead and reboot the server.   * To confirm everything will come up after a power cycle, go ahead and reboot the server.
Last modified: 2023/10/21 05:35